Vulncheck

**Name of the Vulnerable Software and Affected Versions** Python StateMachine versions 3.0.0 through 3.1.x **Description** An issue exists where the library evaluates expressions from SCXML documents unsafely. The `SCXMLProcessor` passes attacker-controlled expression strings from `<data expr="...">` attributes through a call chain into Python's built-in `eval()` function without sandboxing. This allows for remote code execution in the context of the hosting process when a malicious SCXML document is parsed. **Recommendations** Update to version 3.2.0.

**Name of the Vulnerable Software and Affected Versions** Typemill versions prior to 2.24.0 **Description** Authenticated attackers with Author-level privileges can read arbitrary files outside the content directory. This is possible by supplying traversal sequences in the `path` query parameter passed to the `getFile()` function within the `Storage` class when an empty folder argument is used. This action bypasses the traversal-prevention controls implemented in the `getFolderPath()` function. **Recommendations** Update to version 2.24.0 or later. As a temporary workaround, restrict access to the `getFile()` function or monitor the `path` parameter for traversal sequences.

**Name of the Vulnerable Software and Affected Versions** NVIDIA Spatial Intelligence Lab's (SIL) GEN3C (affected versions not specified) **Description** The inference API server contains an unauthenticated remote code execution flaw. The endpoints '/request-inference' and '/seed-model' deserialize raw HTTP request bodies using the Python `pickle.loads()` function without requiring authentication or performing input validation. An attacker can send a crafted payload containing a ` reduce ` gadget to the inference API port to execute arbitrary code with the privileges of the inference process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Perry versions prior to 0.5.1166 **Description** An issue in the JWT validation process allows remote attackers to bypass token expiration. This occurs because the `verify decode` helper within the stdlib JWT verification path unconditionally sets `validate exp` to `false`. Consequently, attackers with a previously issued bearer token can use expired tokens in any `jwt.verify()` call to maintain authenticated access indefinitely, bypassing session expiration mechanisms such as administrative revocation or user logout. **Recommendations** Update to version 0.5.1166 or later.

**Name of the Vulnerable Software and Affected Versions** Perry versions prior to 0.5.1159 **Description** A path traversal issue exists where a malicious build server can write arbitrary content to any location writable by the running process. This occurs when unsanitized path components are supplied in the `artifact name` field of ArtifactReady WebSocket messages. Attackers who control the server URL can deliver traversal payloads through the `artifact name` or `download path` fields, leading to the overwriting of sensitive files or the exposure of arbitrary local files to a location accessible by the attacker. **Recommendations** Update to version 0.5.1159 or later.

**Name of the Vulnerable Software and Affected Versions** KanaDojo versions prior to 0.1.18 **Description** A sandbox escape allows remote code execution with full GitHub Actions runner privileges, including access to the `AUTOMATION PR TOKEN` variable. The issue occurs in the issue-auto-respond.yml workflow due to the explicit passing of the global `require()` function into a Node.js `vm.runInNewContext()` sandbox context. An attacker can exploit this by submitting a pull request that modifies `messages.cjs` to import arbitrary Node.js modules, thereby bypassing sandbox restrictions. **Recommendations** Update to version 0.1.18 or later.

**Name of the Vulnerable Software and Affected Versions** KanaDojo (affected versions not specified) **Description** A command injection issue exists where an attacker with pull request access can execute arbitrary shell commands. This occurs when shell metacharacters are inserted into the `version` or `changes` fields of the 'patchNotesData.json' file. These fields are interpolated without sanitization into a `child process.execSync()` function call within the 'release.yml' workflow. A malicious pull request, once merged, can trigger the GitHub Actions runner, granting the attacker contents write permissions and access to the `GITHUB TOKEN`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding.

**Name of the Vulnerable Software and Affected Versions** Ellucian Banner Self-Service versions prior to April T2 release (2025-04-23) **Description** A reflected cross-site scripting issue exists where unauthenticated attackers can execute arbitrary JavaScript in a victim's browser. This is achieved by injecting unsanitized input through the `toDateFormat` request parameter in the 'dateConverter' endpoint. Attackers can craft a malicious URL targeting this endpoint to steal session cookies or perform other malicious actions within the context of the victim's browser session. **Recommendations** Update to the April T2 release (2025-04-23) or a newer version. Avoid using the `toDateFormat` parameter in the 'dateConverter' endpoint until the update is applied.

OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles jsp.java when processed through the Upload DICOM images feature.

Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser.

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter. Attackers can craft a malicious URL containing unsanitized input that breaks out of the JavaScript string and HTML attribute context in the body onload event handler to execute arbitrary scripts when the link is visited by a victim.

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.

**Name of the Vulnerable Software and Affected Versions** AdGuard Home versions prior to 0.107.77 **Description** When started with the `--glinet` flag, the software contains an authentication bypass that allows unauthenticated attackers to gain full administrative access. This occurs due to unsanitized string concatenation in the token file path construction within the `authglinet` middleware. Attackers can use a path traversal sequence in the `Admin-Token` cookie to redirect file reads to arbitrary paths. Over 122,000 potentially affected devices have been identified worldwide. **Recommendations** Update to version 0.107.77 or later.

**Name of the Vulnerable Software and Affected Versions** WACRM versions prior to commit 73041bf **Description** An authorization bypass exists in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants. By providing an arbitrary `contact id` in the body of a 'POST' request, attackers can bypass tenant ownership verification. This is achieved by exploiting the service-role client, which bypasses row-level security (a security feature that restricts which rows of data a user can see or modify based on their identity), enabling the modification of victim contact fields such as name, email, and company across tenant boundaries using a known contact UUID. **Recommendations** Update WACRM to commit 73041bf or a later version.

OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can chain the file write and delete primitives to achieve remote code execution by manipulating critical system files such as /etc/passwd, with full system impact since the application runs as root by default.

**Name of the Vulnerable Software and Affected Versions** QloApps versions prior to 1.7.1 **Description** A stored cross-site scripting issue exists in the admin file manager. Authenticated administrators can inject malicious JavaScript by uploading specially crafted SVG files. By embedding JavaScript event handlers, such as `onload`, within these files, arbitrary scripts can be executed in the browser of any user who views the uploaded file. **Recommendations** Update to a version later than 1.7.0. As a temporary mitigation, restrict the ability to upload SVG files through the admin file manager.

**Name of the Vulnerable Software and Affected Versions** OpenBullet2 versions prior to 0.3.3 **Description** An authentication bypass exists in the API key authentication middleware. Unauthenticated attackers can gain administrative access to the admin console and all API endpoints by providing an empty value in the `X-Api-Key` header. This occurs because the middleware compares the supplied header against an empty `AdminApiKey` default string. **Recommendations** Update to a version newer than 0.3.2.

OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, causing the server to execute the scripts and return output as proxy lines, resulting in arbitrary command execution on the host as the process user.

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.